-
Notifications
You must be signed in to change notification settings - Fork 446
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PHP globals passed by reference in hive() result #424
Comments
This is expected behavior of assigning values to PHP globals. It's a bug in the escaping and raw conversion that you discovered. Nice spot. Fixed in latest commit. |
Why is this expected behaviour? In the example above The effect of commit fba00ea is to prevent escaping of PHP globals in views/templates. I don't think that's desired. Check this example:
Potential double quotes in |
How would you synchronize $_POST and the framework's POST (so you can use them interchangeably) without using references then? |
Can't we force |
|
Now we're back to the original issue: PHP globals are modified at rendering time:
I insist that this is linked to the fact that If hive() was returning a real copy of the hive, this would not happen. One way to force it to return values would be to pass it through a dummy function:
UPDATE: the modified function above doesn't exactly perform a deep copy of F3's hive. It works with
That's becoming heavy.. |
|
hm.. no ... still fails. i tested now by myself. $globals_bkp = array();
foreach (explode('|','GET|POST|COOKIE|REQUEST|SESSION|FILES|SERVER|ENV') as $global)
$globals_bkp[$global] = $fw->get($global);
$out = $this->sandbox($fw->get('ESCAPE')?
$fw->esc($hive):$hive);
$fw->mset($globals_bkp);
return $out; works good |
Shallow-copy of hive used in this third debug iteration. |
I'm a bit confused now. What's escaped, what's not, what's passed by reference, what's not..
|
and what do get using raw at the end? |
It probably decodes the string but the example is there to underline the fact that template rendering overwrites the hive. |
what happens if we render two templates? Does it double encode the already encoded hive references? |
No because F3 uses |
Deep-copy of hive now implemented. It was a bit tricky because not only are PHP globals involved but user-defined objects too. Additionally, not all objects in PHP are cloneable, hence the |
It looks better but still fails with PHP globals:
|
Done |
question: what happens to the object then? methods are removed? and what about visibility modificators (private / protected etc) |
@bcosca thanks it works now |
I mean it works for PHP globals. But after @KOTRET's question, I made a test with objects and it appears that since they are converted to stdClass, they become unuseable inside a template (loss of methods + private/protected are exposed):
test.html:
|
well, that is even more worse than the very first issue. |
Well since it's not possible to clone all objects, we just simplify the code and clone whatever the framework can. This way templates still have access to the object's methods. But users should be mindful that uncloneable objects are always passed by reference. |
There's still a small issue: since |
imho this is the wrong place to fiddle around with, for me the bug is in |
@KOTRET: no this does only take effect when you set your template token like |
yea, and what we are working on? |
@xfra35 Fixed |
don't understand why $hive gets escaped, passed to the sandbox where the built file includes |
It's a recursive call. |
@bcosca I think you forgot to update the repository. You wrote "Fixed" but nothing has changed. |
@xfra35 I noticed when I pushed to the dev branch a few minutes ago |
The
hive()
method returns a copy of the F3's hive, except for PHP globals which are passed by reference:A consequence of this behaviour is that the HTML escaping performed in View & Template classes overwrites PHP globals (including session variables) as described by Andrew on Google groups.
The text was updated successfully, but these errors were encountered: